Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/4/2013
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'NetTraveler' Cyberespionage Campaign Uncovered

Nearly decade-old attack also has links to other APT groups, infrastructure

A less sophisticated but long-running cyberspying program out of China aimed at high-profile targets in government, embassies, oil and gas, military contractors, activists, and universities has infected hundreds of targets across 40 nations.

The so-called NetTraveler campaign revealed today by Kaspersky Lab comes from a midsize APT group out of China that has some 50 members and who also have used other malware including Zegost (from Gh0stNet), Saker, and other APT-related tools. That doesn't mean the same group is behind Gh0stNet or other campaigns, however: "The groups and their activities are large, complex and in many ways separate, and we are simply saying that there are inter-relations in the dataset," said Kurt Baumgartner, senior security researcher for the Americas on the Global Research and Analysis Team at Kaspersky Lab, in an email interview. "This group's connections with a handful of other groups is both operational and shares infrastructure."

According to Kaspersky's findings, the backdoor used in NetTraveler was likely written by the same developer who wrote the Gh0st/Zegost remote access Trojan. NetTraveler's IP address range has some overlap with Zegost. "For instance, one of the command and control servers that is part of the infrastructure, is a well-known C2 for multiple Zegost variants, still active as of May 2013. The targets and command and control domain naming scheme indicates a connection between the Lurid/Enfal attackers and NetTraveler," according to a report published today by Kaspersky Lab. "Some of the NetTraveler C2's are used to distribute a malware known as 'Saker' or 'Xbox.' which is delivered as an 'update' to the NetTraveler victims."

And in yet another example of how we've likely only scratched the surface on APTs, the researchers also discovered that six of the NetTraveler victims -- a Russian military contractor, an embassy in Belgium, an embassy in Iran, an embassy in Kazakhstan, an embassy in Belarus, and a government organization in Tajikistan -- also had been hit by Red October, a cyberespionage campaign likely out of Eastern Europe. According to Kaspersky's findings, this indicates the value of these targets.

"Threat actors infiltrate victims simultaneously and may or may not be concerned about victim overlap. Most likely, with these two groups in particular, the operators have a specific set of tasks to carry out at the victim organizations," Baumgartner says. "If they happen to see another piece of malware on the target network, and it doesn't interrupt their operation, they just go back to completing their assignments."

NetTraveler doesn't use zero-day attacks but instead exploits two well-known (and patched) vulnerabilities in Microsoft Office, a former bug in Windows Common Controls that was patched over a year ago (CVE-2012-0158) and multiple former flaws in Microsoft Office that were fixed two years ago (CVE-2010-3333). Like most targeted attacks, it starts with spear-phishing emails using attachments -- in this case, rigged with the Office exploits. "Although these vulnerabilities have been patched by Microsoft, they remain effective and are among the most exploited in targeted attacks," Kaspersky Lab said in its report today on NetTraveler.

The researchers say despite the relatively unsophisticated methods, the campaign still was highly successful against these high-profile victims. Bottom line: their machines weren't patched with the latest Microsoft updates.

"We found more than a handful of victims that were infiltrated by both the Red October and NetTraveler threat actors simultaneously. Where we may have suspected that it happened infrequently, we have concrete data that there are multiple high value targets that cannot adequately defend themselves -- they are easy picking for threat actors and should not be," Kaspersky's Baumgartner says.

[Operation Hangover signals new franchise model in cyberespionage with cyberspying services for hire. See 'Commercialized' Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others .]

"That's a vulnerability management issue," says Lawrence Orans, research director for Gartner. "Those Microsoft Office patches had been out there for [at least] a year, and all they had to do was patch it ... It comes down to poor processes."

Kaspersky found more than 22 gigabytes of stolen data on some of NetTraveler's 30 command and control servers, including file system listings, key logs, PDFs, Excel spreadsheets, Word documents, and other files. The NetTraveler malware also can be used to install custom tools that target computer-aided design (CAD) files and application configuration information, for example.

Among the topics of interest for the NetTraveler APT group are space exploration, nanotechnology, energy production, nuclear power, laser technology, medicine, and communications. Mongolia (29 percent), Russia (19 percent), India (11 percent), and Kazakhstan (11 percent) had the most victims, and infected targets were also found in the U.S., Canada, UK, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Mongolia, Iran, Turkey, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, and Jordan.

Some 32 percent of the victims were in the diplomacy realm; 19 percent, government; 11 percent, private; and 9 percent, military.

The full Kaspersky Lab report on NetTraveler is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...